diff options
author | Christian Poessinger <christian@poessinger.com> | 2020-05-15 23:01:27 +0200 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2020-05-16 18:25:58 +0200 |
commit | 9cec8471dae531072946daf5dcb74a0a9fe1e86c (patch) | |
tree | 52d041a00aea99e7b6789fd33a498ed468e3eadd /data/templates/firewall | |
parent | f75db67c495c0e9e251bebba46b75e9d085dece0 (diff) | |
download | vyos-1x-9cec8471dae531072946daf5dcb74a0a9fe1e86c.tar.gz vyos-1x-9cec8471dae531072946daf5dcb74a0a9fe1e86c.zip |
nat: T2198: sync generated DNAT rules with VyOS 1.2
The generated NAT rules in VyOS 1.2 are compared to the generated nftables
ruleset in VyOS 1.3 this was done by converting the 1.2 iptables ruleset to
nftables and then do the diff. To convert from iptables to nftables use the
following command:
$ iptables-save -t nat > /tmp/tmp.iptables
$ iptables-restore-translate -f /tmp/tmp.iptables
The following CLI options have been used for testing:
set nat destination rule 10 description 'foo-10'
set nat destination rule 10 destination address '1.1.1.1'
set nat destination rule 10 destination port '1111'
set nat destination rule 10 exclude
set nat destination rule 10 inbound-interface 'eth0.202'
set nat destination rule 10 log
set nat destination rule 10 protocol 'tcp_udp'
set nat destination rule 10 translation address '192.0.2.10'
set nat destination rule 15 description 'foo-10'
set nat destination rule 15 destination address '1.1.1.1'
set nat destination rule 15 exclude
set nat destination rule 15 inbound-interface 'eth0.202'
set nat destination rule 15 log
set nat destination rule 15 protocol 'tcp_udp'
set nat destination rule 15 translation address '192.0.2.10'
set nat destination rule 20 description 'foo-20'
set nat destination rule 20 destination address '2.2.2.2'
set nat destination rule 20 inbound-interface 'eth0.201'
set nat destination rule 20 log
set nat destination rule 20 protocol 'tcp'
set nat destination rule 20 translation address '192.0.2.10'
Diffstat (limited to 'data/templates/firewall')
-rw-r--r-- | data/templates/firewall/nftables-nat.tmpl | 60 |
1 files changed, 33 insertions, 27 deletions
diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl index 528c4d82a..929cae563 100644 --- a/data/templates/firewall/nftables-nat.tmpl +++ b/data/templates/firewall/nftables-nat.tmpl @@ -4,34 +4,33 @@ flush table nat {% if helper_functions == 'remove' %} - # NAT if going to be disabled - remove rules and targets from nftables - delete rule ip raw PREROUTING handle {{ pre_ct_ignore }} - delete rule ip raw PREROUTING handle {{ pre_ct_conntrack }} - delete rule ip raw OUTPUT handle {{ out_ct_ignore }} - delete rule ip raw OUTPUT handle {{ out_ct_conntrack }} +{# NAT if going to be disabled - remove rules and targets from nftables #} +delete rule ip raw PREROUTING handle {{ pre_ct_ignore }} +delete rule ip raw PREROUTING handle {{ pre_ct_conntrack }} +delete rule ip raw OUTPUT handle {{ out_ct_ignore }} +delete rule ip raw OUTPUT handle {{ out_ct_conntrack }} + +delete chain ip raw NAT_CONNTRACK - delete chain ip raw NAT_CONNTRACK {% elif helper_functions == 'add' %} - # NAT if enabled - add targets to nftables - add chain ip raw NAT_CONNTRACK - add rule ip raw NAT_CONNTRACK counter accept - - add rule ip raw PREROUTING position {{ pre_ct_ignore }} counter jump VYATTA_CT_HELPER - add rule ip raw PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK - add rule ip raw OUTPUT position {{ out_ct_ignore }} counter jump VYATTA_CT_HELPER - add rule ip raw OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK -{% endif %} +{# NAT if enabled - add targets to nftables #} +add chain ip raw NAT_CONNTRACK +add rule ip raw NAT_CONNTRACK counter accept +add rule ip raw PREROUTING position {{ pre_ct_ignore }} counter jump VYATTA_CT_HELPER +add rule ip raw PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK +add rule ip raw OUTPUT position {{ out_ct_ignore }} counter jump VYATTA_CT_HELPER +add rule ip raw OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK +{% endif %} {% for r in destination if not r.disabled -%} {% set chain = "PREROUTING" %} {% set dst_addr = "ip daddr " + r.dest_address if r.dest_address %} -{% set dst_port = "dport { " + r.dest_port +" }" %} -{% set trns_addr = r.translation_address %} +{% set dst_port = "dport { " + r.dest_port +" }" if r.dest_port %} +{% set trns_addr = "dnat to " + r.translation_address %} {% set trns_port = ":" + r.translation_port if r.translation_port %} -{% set trns = "dnat to " + trns_addr + trns_port if trns_port %} {% set comment = "DST-NAT-" + r.number %} -{% set iface = "iifname " + r.interface_in %} +{% set iface = r.interface_in %} {% if r.log %} {% if r.exclude %} @@ -45,25 +44,32 @@ flush table nat {% if r.exclude %} {# rule has been marked as "exclude" thus we simply return here #} -{% set trns = "return" %} +{% set trns_addr = "return" %} +{% set trns_port = "" %} {% endif %} {% if r.protocol == 'tcp_udp' %} {# Special handling for protocol tcp_udp which is represented as two individual rules #} +{% set comment = comment + " tcp_udp" %} {% if log %} -add rule ip nat {{ chain }} {{ iface }} tcp {{ dst_port }} counter log prefix "{{ log }}" comment "{{ comment }} tcp_udp" + +{% set tcp_dst_port = "tcp " + dst_port if dst_port else "ip protocol tcp" %} +{% set udp_dst_port = "udp " + dst_port if dst_port else "ip protocol udp" %} + +add rule ip nat {{ chain }} iifname "{{ iface }}" {{ tcp_dst_port }} {{ dst_addr }} counter log prefix "{{ log }}" comment "{{ comment }}" {% endif %} -add rule ip nat {{ chain }} {{ iface }} tcp {{ dst_port }} counter {{ trns }} comment {{ comment }} +add rule ip nat {{ chain }} iifname "{{ iface }}" {{ tcp_dst_port }} {{ dst_addr }} counter {{ trns_addr }}{{ trns_port }} comment "{{ comment }}" {% if log %} -add rule ip nat {{ chain }} {{ iface }} udp {{ dst_port }} counter log prefix "{{ log }}" comment "{{ comment }} tcp_udp" +add rule ip nat {{ chain }} iifname "{{ iface }}" {{ udp_dst_port }} {{ dst_addr }} counter log prefix "{{ log }}" comment "{{ comment }}" {% endif %} -add rule ip nat {{ chain }} {{ iface }} udp {{ dst_port }} counter {{ trns }} comment {{ comment }} -{% else %} +add rule ip nat {{ chain }} iifname "{{ iface }}" {{ udp_dst_port }} {{ dst_addr }} counter {{ trns_addr }}{{ trns_port }} comment "{{ comment }}" +{% else %} +{% set proto_dst_port = dst_port if dst_port else "ip protocol " + r.protocol %} {% if log %} -add rule ip nat {{ chain }} {{ iface }} {{ r.protocol }} counter log prefix "{{ log }}" comment {{ comment }} +add rule ip nat {{ chain }} iifname "{{ iface }}" {{ proto_dst_port }} {{ dst_addr }} counter log prefix "{{ log }}" comment "{{ comment }}" {% endif %} -add rule ip nat {{ chain }} {{ iface }} {{ dst_addr }} {{ r.protocol }} {{ dst_port }} counter {{ trns }} comment {{ comment }} +add rule ip nat {{ chain }} iifname "{{ iface }}" {{ proto_dst_port }} {{ dst_addr }} counter {{ trns_addr }}{{ trns_port }} comment "{{ comment }}" {% endif %} {% endfor %} |